Posted
by
samzenpus
on Sunday December 09, 2012 @07:33PM
from the bad-stuff dept.

angry tapir writes "Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It's likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7. The botnet is called Skynet and can be used to launch DDoS (distributed denial-of-service) attacks, generate Bitcoins — a type of virtual currency — using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones. However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol."

Tor only anonymizes the source of the data; Anything between the exit node and destination is sent in the clear and likely they've made some mistake that'll allow it to be blockable.

One feature of Tor is "hidden services", where the traffic is encrypted end-to-end and even the service itself is anonymous, identified only through a.onion address. I'd guess this is what they're using.

Some Tor nodes filter certain exits -- ie. to not allow porn through their node. if this works for hidden services I imagine this botnet could be blacklisted fairly easily if enough of the node operators got in on the act.